{ "id": "cb27c8fc-91b2-45fa-a321-a843bb9337d5", "created_at": "2026-04-06T00:17:29.533145Z", "updated_at": "2026-04-10T03:37:33.316526Z", "deleted_at": null, "sha1_hash": "ede872bcc20175b3ce40c9cc9697ddb92c111cd3", "title": "SUPERNOVA: A Novel .NET Webshell", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1180322, "plain_text": "SUPERNOVA: A Novel .NET Webshell\r\nBy Matthew Tennis\r\nPublished: 2020-12-17 · Archived: 2026-04-02 12:03:08 UTC\r\nExecutive Summary\r\nThe actors behind the supply chain attack on SolarWinds’ Orion software have demonstrated a high degree of\r\ntechnical sophistication and attention to operational security, as well as a novel combination of techniques in the\r\npotential compromise of approximately 18,000 SolarWinds customers. As published in the original disclosure, the\r\nattackers were observed removing their initial backdoor once a more legitimate method of persistence was\r\nobtained.\r\nIn the analysis of the trojanized Orion artifacts, the .NET .dll app_web_logoimagehandler.ashx.b6031896.dll was\r\ndubbed SUPERNOVA, but little detail of its operation has been publicly explored. NOTE: The SUPERNOVA\r\nwebshell’s association with the SolarStorm actors is now questionable due to the aforementioned .dll not being\r\ndigitally signed, unlike the SUNBURST .dll. This may indicate that the webshell was not implanted early in\r\nSolarWinds’ software development pipeline as was SUNBURST, and was instead dropped by a third party.\r\nAdditionally, Guidepoint Security conducted their own research into SUPERNOVA, with similar conclusions.\r\nIn this blog, we will share an overview of its operation and function, tactics and techniques that support the\r\nhypothesis of an advanced persistent threat (APT), and what protections that Palo Alto Networks provides against\r\ntrojanized SolarWinds instances:\r\nAttackers created a sophisticated, in-memory webshell baked into Orion’s code, which acted as an\r\ninteractive .NET runtime API.\r\nWebshell payload was compiled on the fly and executed dynamically, further complicating endpoint and\r\ndigital forensics and incident response (DFIR) analysis.\r\nAnti-Spyware signature 83225 has been added to prevent SUPERNOVA traffic.\r\nTechnical Overview\r\nIn conventional webshell attacks, these server script pages are often some sort of interactive frontend document\r\nthat can be manipulated to process backend side effects, which is most often some form of remote code execution\r\n(RCE). A webshell may be uploaded, downloaded or deployed by either targeting a misconfiguration or\r\nvulnerability in the underlying server, or dropped during post-exploitation as a means of secondary persistence. A\r\nwebshell itself is typically malware logic embedded in a script page and is most often implemented in an\r\ninterpreted programming language or context (most commonly PHP, Java JSP, VBScript and JScript ASP, and C#\r\nASP.NET). The webshell will receive commands from a remote server and will execute in the context of the web\r\nserver’s underlying runtime environment.\r\nhttps://unit42.paloaltonetworks.com/solarstorm-supernova\r\nPage 1 of 6\n\nThe SUPERNOVA webshell is also seemingly designed for persistence, but its novelty goes far beyond the\r\nconventional webshell malware that Unit 42 researchers routinely encounter.\r\nAlthough .NET webshells are fairly common, most publicly researched samples ingest command and control (C2)\r\nparameters, and perform some relatively surface-level exploitation. Some examples would be an attacker\r\ncommanding the implant to dump directory structures or operating system information, or to perform a network\r\ncall to load more exploitation tools.\r\nSUPERNOVA differs dramatically in that it takes a valid .NET program as a parameter. The .NET class, method,\r\narguments and code data are compiled and executed in-memory. There are no additional forensic artifacts written\r\nto disk, unlike low-level webshell stagers, and there is no need for additional network callbacks other than the\r\ninitial C2 request.\r\nIn other words, the attackers have constructed a stealthy and full-fledged .NET API embedded in an Orion binary,\r\nwhose user is typically highly privileged and positioned with a high degree of visibility within an organization’s\r\nnetwork. The attackers can then arbitrarily configure SolarWinds (and any local operating system feature on\r\nWindows exposed by the .NET SDK) with malicious C# code. The code is compiled on the fly during benign\r\nSolarWinds operation and is executed dynamically.\r\nThis is significant because it allows the attacker to deploy full-featured – and presumably sophisticated – .NET\r\nprograms in reconnaissance, lateral movement and other attack phases.\r\nImplant Phase\r\nThe implant itself is a trojanized copy of app_web_logoimagehandler.ashx.b6031896.dll, which is a proprietary\r\nSolarWinds .NET library that exposes an HTTP API. The endpoint serves to respond to queries for a specific .gif\r\nimage from other components of the Orion software stack. The relatively high quality code that was added to the\r\n.dll is innocuous and easily missed by defender automation, and even potentially by manual review.\r\nThe attackers have leveraged the benign file by adding four new parameters to the API and a malicious method\r\nthat executes the parameters in the context of the .NET runtime on the Orion host. Figure 1 below demonstrates\r\nthe normal or benign content of the Orion component.\r\nFigure 1. Benign SolarWinds code for handling the HTTP request and its response.\r\nhttps://unit42.paloaltonetworks.com/solarstorm-supernova\r\nPage 2 of 6\n\nLine 42 defines the collection of the parameters supplied to the HTTP endpoint, in which only id is valid and\r\nprocessed. However, the additional C2 parameters are added before this snippet in the same method,\r\nProcessRequest(), and the execution method is appended in this same file. Figure 2 shows part of the malicious\r\ncode (lines 27-41).\r\nFigure 2. Four C2 parameters are processed and then passed to the malicious method\r\nDynamicRun().\r\nThe four parameters depicted above – codes, clazz, method and args – passed via GET query string to the\r\ntrojanized logo handler component. These parameters are then executed in a custom method, which differs from\r\ntypical webshell behavior that simply invokes underlying operating system or programming language functions.\r\nC2 Parameter Purpose\r\nclazz C# Class object name to instantiate\r\nmethod Method of class clazz to invoke\r\nargs Arguments are newline-split and passed as positional parameters to method\r\ncodes .NET assemblies and namespaces for compilation\r\nTable 1. Command and control parameters\r\nNote for defenders:\r\nAny ingress traffic to logoimagehandler.ashx with a combination of these four parameters in any order of the\r\nquery string are strong indicators of compromise (IOCs). If a detection fires on this combination in any order,\r\nplease isolate and image your Orion instance immediately. If the request came internal to the network, then it is\r\nhighly probable that the user that initiated the request has also been compromised.\r\nExecution\r\nhttps://unit42.paloaltonetworks.com/solarstorm-supernova\r\nPage 3 of 6\n\nThe attacker may send a request to the embedded webshell over the internet or through an internally compromised\r\nsystem. The code is crafted to accept the parameters as components of a valid .NET program, which is then\r\ncompiled in-memory. No executable is dropped (and thus the webshell’s execution evades most defender endpoint\r\ndetections), and the compiled assembly immediately invokes the specified class method.\r\nThe try/catch block beginning on line 27 that encompases the execution on line 37 has been added to presumably\r\nprevent operator error from causing an unhandled exception in Orion, which could trigger unwanted scrutiny. This\r\nis one small example of the attention paid by the actors to technical and operational security.\r\nFigure 3. DynamicRun() compiles the C2 parameters into a .NET assembly in-memory.\r\nOn lines 106 and 107, we can observe the innocuous compiler API flags that are subverted to impede defenders.\r\nLine 115 instantiates the class object specified by the attacker, and on line 116 the attacker code is executed.\r\nThis design pattern is known as dynamic code execution. In software engineering contexts, this allows for the\r\nprogram to be flexible and extensible. In the context of a cyberattack, the same is true for the attacker’s code and\r\ntools.\r\nTactics, Techniques and Procedures\r\nIn many ways, this webshell exhibits attributes common to other types of webshells. The malware is secretly\r\nimplanted onto a server, it receives C2 signals remotely and executes them in the context of the server user.\r\nHowever, SUPERNOVA is novel and potent due to its in-memory execution, sophistication in its parameters and\r\nexecution and flexibility by implementing a full programmatic API to the .NET runtime.\r\nIn-memory execution of a malicious binary is not a new technique with regard to malware behavior. That\r\ntechnique typically indicates an adversary’s attempt at foiling endpoint and DFIR detections.\r\nHowever, this is rarely encountered in webshell behavior, as typical webshells execute their payloads either in the\r\ncontext of the runtime environment or by calling a subshell or process (cmd.exe, PowerShell.exe or /bin/bash).\r\nSUPERNOVA compiles the parameters on the fly and executes the resulting assembly in-memory. Aside from\r\nevading detections, this indicates that the SolarStorm actors were adept enough to purposely hide their traffic and\r\nbehavior in plain sight and to avoid leaving trace evidence behind.\r\nProtections\r\nhttps://unit42.paloaltonetworks.com/solarstorm-supernova\r\nPage 4 of 6\n\nAside from the numerous protections offered across the Palo Alto Networks product suite, Anti-Spyware signature\r\n83225 has been created to detect any residual C2 infrastructure still present in impacted networks.\r\nConclusion\r\nThe strategy of implanting webshells in vulnerable servers is not a new tactic for malicious actors. However, the\r\nrelative sophistication of the code compared to routine webshell malware is surprising. Furthermore, the furor of\r\nthe attacks against SolarWinds further amplifies interest in novel techniques such as those used in SUPERNOVA.\r\nThe only way to catch advanced intrusions is a defense-in-depth strategy. Only by orchestrating multiple security\r\nappliances and applications in a single pane can defenders detect these attacks.\r\nPalo Alto Networks customers are protected by the following:\r\nEndpoint protection through Cortex XDR.\r\nMalware sandbox detection through WildFire (Next-Generation Firewall security subscription).\r\nAn array of defenses including IPS and AppID in Threat Prevention (Next-Generation Firewall security\r\nsubscription).\r\nThreat intelligence with Cortex Data Lake.\r\nNetwork defense orchestration with Cortex XSOAR.\r\nAcknowledgements\r\nThe author would like to thank the following team members for their tireless efforts and invaluable contributions\r\nto this research:\r\nDurgesh Sangvikar, Chris Navarrete, Hui Gao, Rongbo Shao, Kyle Wilhoit, Derrick Chang, Alex Krepelka, Byron\r\nAlvarez and KMAP Pena.\r\nIndicators of Compromise\r\nSolarWinds Orion app_web_logoimagehandler.ashx.b6031896.dll\r\nc15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71\r\nURI\r\nlogoimagehandler[.]ashx\r\nHTTP Query String Params\r\nclazz\r\nmethod\r\nargs\r\ncodes\r\nhttps://unit42.paloaltonetworks.com/solarstorm-supernova\r\nPage 5 of 6\n\nSource: https://unit42.paloaltonetworks.com/solarstorm-supernova\r\nhttps://unit42.paloaltonetworks.com/solarstorm-supernova\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/solarstorm-supernova" ], "report_names": [ "solarstorm-supernova" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434649, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ede872bcc20175b3ce40c9cc9697ddb92c111cd3.pdf", "text": "https://archive.orkl.eu/ede872bcc20175b3ce40c9cc9697ddb92c111cd3.txt", "img": "https://archive.orkl.eu/ede872bcc20175b3ce40c9cc9697ddb92c111cd3.jpg" } }